doratesting

EU DORA · Testing

Digital operational resilience testing, demystified

The EU Digital Operational Resilience Act makes testing a legal duty for financial entities. Understand what you must test, how often, and where advanced threat-led testing kicks in.

  • Based on Regulation (EU) 2022/2554
  • In force since Jan 2025
  • Vendor-neutral

What is DORA

Testing your resilience is no longer optional

DORA is an EU regulation that makes digital operational resilience — including regular testing — a binding requirement for the financial sector.

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, has applied across the EU since 17 January 2025. It sets uniform requirements for how financial entities manage and prove their resilience to ICT disruptions.

One of its five pillars is digital operational resilience testing. Entities must run a documented, risk-based testing programme and test the ICT systems supporting critical or important functions at least once a year, using independent, qualified testers.

The most significant entities go further: they must undergo advanced threat-led penetration testing (TLPT) every three years, modelled on real-world attacks. This guide focuses on the testing pillar — who must do what, and how often.

The testing regime

What DORA actually requires you to test

Four essentials that define the resilience-testing pillar.

  1. PROGRAMME

    A testing programme

    Not ad-hoc checks — DORA requires a documented, risk-based testing programme covering the ICT systems that support your important and critical functions.

  2. BASELINE

    Baseline tests, yearly

    At least annually, entities run tests such as vulnerability assessments and scans, network security assessments, source-code reviews and scenario-based testing on critical systems.

  3. TLPT

    Threat-led pen testing

    Significant entities must perform advanced threat-led penetration testing (TLPT) at least every three years, modelled on the TIBER-EU framework and real threat intelligence.

  4. INDEPENDENT

    Independent testers

    Testing must be carried out by qualified, independent parties. For TLPT, testers must meet strict competence and independence criteria set out in the regulation.

What to test

The testing types, and how often

DORA expects a layered programme. These are the main test types and their cadence.

  • Baseline · yearly

    Vulnerability assessments & scans

    Regular automated and manual assessment of weaknesses across ICT assets supporting important functions.

    Under DORA: Part of the required baseline testing programme.

  • Baseline · yearly

    Penetration testing

    Hands-on testing of critical systems to find exploitable weaknesses before an attacker does.

    Under DORA: Expected within the annual programme for critical systems.

  • Programme

    Scenario-based & resilience tests

    Exercises that test detection, response, business continuity and recovery — not just prevention.

    Under DORA: Evidence that ICT can withstand and recover from disruption.

  • Advanced · 3 years

    Threat-led penetration testing (TLPT)

    Intelligence-led, red-team-style testing against live systems, mandatory for significant entities.

    Under DORA: Required at least every three years for in-scope entities.

Applicability check

Does DORA testing apply to you — and what’s required?

Answer a couple of questions for a plain-English indication of your testing obligations. This is guidance, not legal advice.

Is your organisation an EU financial entity — or a critical ICT provider to one?

Indicative only — classification and exact obligations depend on your supervisor’s assessment and the applicable regulatory technical standards. Confirm your status with a qualified adviser.

The facts

DORA at a glance

A regulation in force now, with real scope and real testing duties.

17 Jan 2025
DORA has applied across the EU since this date — it is in force, not a future deadline.
Source: EUR-Lex · Regulation (EU) 2022/2554, 2025
22,000+
financial entities are estimated to fall within DORA’s scope across the EU.
Source: European Commission, 2024
Every 3 yrs
advanced threat-led penetration testing (TLPT) is required of significant entities.
Source: DORA Art. 26 · EUR-Lex, 2022
5 pillars
ICT risk management, incident reporting, resilience testing, third-party risk and information sharing.
Source: DORA · EUR-Lex, 2022

Each figure links to its primary source. Scope estimates are approximate; confirm your own status with a qualified adviser.

For security & compliance teams

Turn the testing pillar into a working programme

DORA doesn’t just ask whether you test — it asks whether you can evidence a documented, independent, risk-based programme.

DORA requires financial entities to establish, maintain and review a sound and comprehensive digital operational resilience testing programme, and to test ICT systems supporting critical or important functions at least yearly using independent parties.
DORA Art. 24-25 · EUR-Lex
  • Map critical functions first

    Scope the ICT systems that support your important and critical functions — that’s what the testing programme must cover.

  • Layer the test types

    Combine vulnerability assessments, penetration testing and scenario-based tests into a coherent annual programme, not one-off checks.

  • Use independent testers

    DORA expects testing by qualified, independent parties — and TLPT has strict criteria for who may test.

  • Evidence everything

    Document findings, remediation and retesting. Supervisors want proof the programme works, not just that a test happened.

Frequently asked questions

Short, clear answers

What is DORA?

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is an EU regulation, in force since 17 January 2025, that sets uniform ICT risk-management, incident-reporting, resilience-testing and third-party-risk requirements for the financial sector.

What testing does DORA require?

A documented, risk-based testing programme, with the ICT systems supporting critical or important functions tested at least yearly — using tests such as vulnerability assessments, penetration testing and scenario-based exercises, performed by independent parties. See the requirements →

Who is in scope of DORA?

A broad range of EU financial entities — banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers and more — plus their critical ICT third-party providers.

What is TLPT under DORA?

Threat-led penetration testing: advanced, intelligence-led red-team testing of live systems, required of significant entities at least every three years and modelled on the TIBER-EU framework. More on TLPT →

How often must we test under DORA?

The baseline programme requires testing of critical and important ICT systems at least once a year. Significant entities must additionally undergo TLPT at least every three years.

Can we use our own staff to test?

DORA requires testing by independent, qualified parties, and allows internal testers only under conditions (with safeguards for independence). TLPT in particular has strict criteria on tester competence and independence. See how to prepare →

What happens if we don’t comply?

DORA is directly applicable and enforced by national competent authorities, which can require remediation and impose penalties. Beyond fines, an untested resilience posture is a real operational and reputational risk.